trevp / tlslite Goto Github PK
View Code? Open in Web Editor NEWTLS Library in python
License: Other
tlslite's People
Contributors
Stargazers
Watchers
Forkers
zstone d-mo samrushing marcelofernandez tpmanley eaescob loewis grimreaper xlevus dmbaggett amfarrell cnsoft abravetti djs55 bowei blusch ddddavidee cryptolab mothran flowztul seanjensengrey dkg ggonzalez alvarofe tyll perpetual-hydrofoil pfalcon-mirrors davidben kostyll 4b1d michelangelo13 runt18 priestd09 theron ewa zeroleo12345 alex1818 omdathetkan rkondratenko digideskio chris-wood zdzhjx shariques cloudfee csy1234 acidburn0zzz lparth cncabf00 kleopatra999 heinsm motte135 otomakan nerdatmath graingert torsina serrasqueiro sitedata jayvdb sreekanth370 santosh653 dthadi3 andrey4518tlslite's Issues
Continous Integration
Since tlslite has quite a few tests now and we want to preserve compatibility with both old and new Pythons, I think it would be good idea to have some Continuous Integration to run the tests against all those versions.
From what I found, travis-ci.org is free, integrates well with github and has support for multiple execution environments, including Python 2.6, 3.2 and later
Commit 496980f breaks test 26.b
Running 'make test' after commit 496980f fails with a server-side handshake_failure in unit test 26.b.
This appears to be caused by filtering of the sha256 MACs in HandshakeSettings.validate() for pre-TLS 1.2 versions, which results in the server lacking any valid ciphersuites (hence no shared ciphersuites with client, hence handshake_failure). I suspect Fault.ignoreVersionForCipher is supposed to prevent this, but it only inhibits calls to CipherSuite.filterForVersion which was where filtering occurred previously.
I decided against submitting a pull request because I'm not sure what the preferred solution would be; three that come to mind are either to add fault injection to the HandshakeSettings object, to skip validation altogether if a fault has been injected, or to revert the filtering in validate() since it appears (at first glance) to be redundant.
ChaCha20 support
draft-mavrogiannopoulos-chacha-tls is close to being standardised, it would be good to have an implementation of at least the RSA-based ciphers
parsePrivateKey fails with Python 2.7 and PyCrypto due to long vs int
Trying to use tlslite.utils.keyfactory.parsePrivateKey with Python 2.7 when PyCypto is installed raises an unhelpful AssertionError. It comes from within PyCrypto which expects long values rather than int and refuses to take anything else.
I'm going to guess this is due to the Python 3 changes from 0.4.4.
s is not a string, but .find() is applied to it several times
tlslite/tlslite/utils/openssl_rsakey.py
Line 102 in cd82fad
s is not a string, in order to be searched with find() it needs to be converted, e.g.:
ss = str(s,'utf-8')
and then various searches become ss.find, ss.startswith, etc.
Line 106 is potentially problematic even with this fix:
s = s[start:]
since start is effectively a character count.
TypeError: must be long, not int
I installed tlslite on Ubuntu 12.04 with
git pull https://github.com/trevp/tlslite.git
sudo python setup.py install
which passes fine. But when I try to do the inital test like told in the README:
tlslite/tests$ ./tlstest.py server localhost:4443 .
Traceback (most recent call last):
File "./tlstest.py", line 791, in <module>
serverTestCmd(sys.argv[2:])
File "./tlstest.py", line 460, in serverTestCmd
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
File "/usr/local/lib/python2.7/dist-packages/tlslite/x509.py", line 43, in parse
self.parseBinary(bytes)
File "/usr/local/lib/python2.7/dist-packages/tlslite/x509.py", line 97, in parseBinary
self.publicKey = _createPublicRSAKey(n, e)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/keyfactory.py", line 179, in _createPublicRSAKey
return PyCrypto_RSAKey(n, e)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/pycrypto_rsakey.py", line 18, in __init__
self.rsa = RSA.construct( (n, e) )
File "/usr/lib/python2.7/dist-packages/Crypto/PublicKey/RSA.py", line 235, in construct
key = self._math.rsa_construct(*tup)
TypeError: must be long, not int
error when using TLSSocketServerMixin
Hi, I'm trying to use the TLSSocketServerMixin and getting this error, after a successful TLS connection:
Traceback (most recent call last):
File "/usr/lib64/python2.7/SocketServer.py", line 582, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/site-packages/tlslite/integration/tlssocketservermixin.py", line 56, in finish_request
self.RequestHandlerClass(tlsConnection, client_address, self)
File "/usr/lib64/python2.7/SocketServer.py", line 640, in __init__
self.finish()
File "/usr/lib64/python2.7/SocketServer.py", line 694, in finish
self.wfile.close()
File "/usr/lib64/python2.7/socket.py", line 282, in close
self._sock.close()
AttributeError: 'NoneType' object has no attribute 'close'
My code is here: https://github.com/agrover/targetd/blob/master/targetd
I'm still investigating (I need this to work :) but wanted to open the issue in case you had some quick insight into it.
Thanks -- Andy (btw tlslite is packaged in Fedora now)
Missing import base64
In compat.py (https://github.com/trevp/tlslite/blob/master/tlslite/utils/compat.py#L49)
base64 is used but not imported. It does not break because the function it implements (b2a_base32) it not used in tlslite.
I suggest adding the import or removing this function.
Fix Checker Description
The README of tlslite states
To save yourself the trouble of inspecting certificates and/or TACKs after the
handshake, you can pass a Checker object into the handshake function. The
checker will be called if the handshake completes successfully. If the other
party isn't approved by the checker, a subclass of TLSAuthenticationError will
be raised.
but actually the checker is no checking of TACKs in any form. Or am I missing something?
Sending ClientHellos results in TLSAbruptCloseErrors
I would like to send ClientHellos with tlslite but I get TLSAbruptCloseErrors when trying to get the server's response. Can you please help?
script:
#!/usr/bin/python -tt
# vim: fileencoding=utf8
import socket
import tlslite
class TLSConnectionTester(tlslite.tlsrecordlayer.TLSRecordLayer):
def __init__(self, sock):
tlslite.tlsrecordlayer.TLSRecordLayer.__init__(self, sock)
def test(
self,
cipher=tlslite.constants.CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA):
session_id = bytearray(0)
version = (3, 2)
client_hello = tlslite.messages.ClientHello()
ciphers = [tlslite.constants.CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
cipher, 52, 58]
print ciphers
client_hello.create(version,
tlslite.utils.cryptomath.getRandomBytes(32),
session_id,
ciphers,
[tlslite.constants.CertificateType.x509],
None, False, False, "")
self._handshakeStart(client=True)
for result in self._sendMsg(client_hello):
yield result
if result in (0, 1):
print "wait"
else:
break
for result in self._getMsg(
tlslite.constants.ContentType.handshake,
tlslite.constants.HandshakeType.server_hello):
print result
if result in (0, 1):
yield result
else:
break
server_hello = result
yield server_hello
def makesocket():
sock = socket.socket()
sock.connect(("127.0.0.1", 443))
return sock
if __name__ == "__main__":
sock = makesocket()
tlscon = TLSConnectionTester(sock)
for r in tlscon.test():
pass
Exception:
TLSAbruptCloseError Traceback (most recent call last)
/usr/lib/python2.7/site-packages/IPython/utils/py3compat.pyc in execfile(fname, *where)
176 else:
177 filename = fname
--> 178 __builtin__.execfile(filename, *where)
/home/till/tlslite/tlsscan.py in <module>()
56 tlscon = TLSConnectionTester(sock)
57
---> 58 for r in tlscon.test():
59 pass
/home/till/tlslite/tlsscan.py in test(self, cipher)
36 for result in self._getMsg(
37 tlslite.constants.ContentType.handshake,
---> 38 tlslite.constants.HandshakeType.server_hello):
39 print result
40 if result in (0, 1):
/home/till/tlslite/tlslite/tlsrecordlayer.pyc in _getMsg(self, expectedType, secondaryType, constructorType)
666 # - we receive an empty application-data fragment; we try again
667 while 1:
--> 668 for result in self._getNextRecord():
669 if result in (0,1):
670 yield result
/home/till/tlslite/tlslite/tlsrecordlayer.pyc in _getNextRecord(self)
840 #If the connection was abruptly closed, raise an error
841 if len(s)==0:
--> 842 raise TLSAbruptCloseError()
843
844 b += bytearray(s)
TLSAbruptCloseError: TLSAbruptCloseError()
ALPN support
Hi,
TLSlite supports NPN (cool), but the IETF is going to ALPN:
https://www.imperialviolet.org/2013/03/20/alpn.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg
Is there any update to support ALPN already in progress?
TackBreakSig not found
TLSLite attempts to look for TackBreakSig but the most recent source code or latest release download does not have that module yet. Is this a new module that will be committed soon?
Thanks! Great work!
Extended Master Secret support
Since tlslite supports session resumption and doesn't support ECDHE key exchange, it is vulnerable to the 3shake attack, as such, it should implement the draft-ietf-tls-session-hash-04.
Lack of implicit full certificate verification makes this attack especially easy to perform against tlslite.
asyncio error with python 3.7
When running tests the following error is raised with Python >= 3.7
tlslite (unittest.loader._FailedTest) ... ERROR
======================================================================
ERROR: tlslite (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: tlslite
Traceback (most recent call last):
File "/nix/store/6lm4gi5iv8fbf1b1mm6g3gfnnv63f1gn-python3-3.7.1/lib/python3.7/unittest/loader.py", line 468, in _find_test_path
package = self._get_module_from_name(name)
File "/nix/store/6lm4gi5iv8fbf1b1mm6g3gfnnv63f1gn-python3-3.7.1/lib/python3.7/unittest/loader.py", line 375, in _get_module_from_name
__import__(name)
File "/build/tlslite-0.4.9/tlslite/__init__.py", line 27, in <module>
from tlslite.api import *
File "/build/tlslite-0.4.9/tlslite/api.py", line 11, in <module>
from .tlsconnection import TLSConnection
File "/build/tlslite-0.4.9/tlslite/tlsconnection.py", line 71
async=False):
^
SyntaxError: invalid syntax
----------------------------------------------------------------------
Ran 1 test in 0.000s
See pypa/pipenv#956 for details
would you like JKS (Java KeyStore) file format support?
https://github.com/doublereedkurt/pyjks
I'm the maintainer of a single-module JKS file reader.
I think utils/jks.py would make sense to have next to utils/pem.py
https://github.com/trevp/tlslite/blob/14f2c60d93b642f080bef664cc718d2ea1291487/tlslite/utils/pem.py
I'd be happy to help integrate the code.
Handshake error
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 308, in handshakeClientCert
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 324, in _handshakeClientAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 1777, in _handshakeWrapperAsync
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 472, in _handshakeClientAsyncHelper
serverHello.tackExt):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 837, in _clientRSAKeyExchange
encryptedPreMasterSecret = publicKey.encrypt(premasterSecret)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/rsakey.py", line 151, in encrypt
c = self._rawPublicKeyOp(m)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/pycrypto_rsakey.py", line 36, in _rawPublicKeyOp
m = self.rsa.encrypt(c, None)[0]
File "/usr/local/lib/python2.7/dist-packages/Crypto/PublicKey/RSA.py", line 390, in encrypt
raise NotImplementedError("Use module Crypto.Cipher.PKCS1_OAEP instead")
NotImplementedError: Use module Crypto.Cipher.PKCS1_OAEP instead
Coverity measurement
So we now have pretty decent CI setup (thanks for the quick merges!), we can easily extend it to also include coverity checks.
Question is, how do we do it?
I see two options:
- Coveralls, (example report: https://coveralls.io/r/pyca/pyopenssl )
- diff-coverage test in
.travis.yml, similar to the pylint check, where we just get pass/fail based on a threshold value
Cannot Decode Public Keys
python_rsakey.Python_RSAKey.parsePEM()'s docstring:
"""Parse a string containing a <privateKey> or <publicKey>, or
PEM-encoded key."""It's implementation:
if pemSniff(s, "PRIVATE KEY"):
bytes = dePem(s, "PRIVATE KEY")
return Python_RSAKey._parsePKCS8(bytes)
elif pemSniff(s, "RSA PRIVATE KEY"):
bytes = dePem(s, "RSA PRIVATE KEY")
return Python_RSAKey._parseSSLeay(bytes)
else:
raise SyntaxError("Not a PEM private key file")Which means that public_key = keyfactory.parseAsPublicKey(rsa_public_key) will never work.
Twisted support
Support for Twisted via a TLSLite-based implementation of a Twisted endpoint would be great.
About Twisted endpoints:
http://twistedmatrix.com/documents/current/core/howto/endpoints.html
https://speakerdeck.com/ashfall/twisted-logic-endpoints-and-why-you-shouldnt-be-scared-of-twisted
Website with tlslite is broken after some hours of operations
how to reproduce
Setup a web server with tlslite and SessionCache enabled
do the following request
$ openssl s_client -reconnect -connect 127.0.0.1:8082 < /dev/null
Wait for the session timeout (default is 4 hours)
Do the above request again.
expected result
request should work
actual result
The second request returns with an error on SSL level
89484:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.8.1/src/ssl/s3_pkt.c:564:
analysis
explaination and proposed fix is in pull request #67
tlslite/utils/cryptomath.py contains incorrect construct for Python 3
tlslite/tlslite/utils/cryptomath.py
Line 121 in cd82fad
The "ord()" function here is redundant with Python 3, and will produce an error. It should be removed.
SRP_SHA_RSA are implemented incorrectly
Current code in messages.py:
def write(self):
w = Writer()
if self.cipherSuite in CipherSuite.srpAllSuites:
w.addVarSeq(numberToByteArray(self.srp_N), 1, 2)
w.addVarSeq(numberToByteArray(self.srp_g), 1, 2)
w.addVarSeq(self.srp_s, 1, 1)
w.addVarSeq(numberToByteArray(self.srp_B), 1, 2)
if self.cipherSuite in CipherSuite.srpCertSuites:
w.addVarSeq(self.signature, 1, 2)
elif self.cipherSuite in CipherSuite.anonSuites:
w.addVarSeq(numberToByteArray(self.dh_p), 1, 2)
w.addVarSeq(numberToByteArray(self.dh_g), 1, 2)
w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2)
if self.cipherSuite in []: # TODO support for signed_params
w.addVarSeq(self.signature, 1, 2)
return self.postWrite(w)
def hash(self, clientRandom, serverRandom):
oldCipherSuite = self.cipherSuite
self.cipherSuite = None
try:
bytes = clientRandom + serverRandom + self.write()[4:]
return MD5(bytes) + SHA1(bytes)
finally:
self.cipherSuite = oldCipherSuite
will cause the hash to not include the set SRP parameters (note the self.cipherSuite = None line), also, the signature algorithm is incorrect for TLSv1.2 protocol
Use appveyor for Windows CI testing
We have Linux CI testing but now Windows, would be nice if someone wants to figure that out.
SNI with HTTPTLSConnection missing
The HTTPTLSConnection class does not send SNI information.
It can be tested by connecting to an SNI-only site and looking at the certificate:
>>> from tlslite.api import HTTPTLSConnection
>>> c = HTTPTLSConnection("biewald.dedyn.io", 443)
>>> c.request("GET", "")
>>> print(c.tlsSession.serverCertChain.x509List[0].bytes)
bytearray(b"0\x82\...\x82\x0evarbin.noip.me0Q...\xc3\xdf")My python version is 3.5.0 and my tlslite version is 0.4.9 from PyPi.
handshake_failure
hi tls-dev:
i successfully install the tls, and run the test-suite like this:
./tlstest.py server localhost:4443 .
and open another shell, type
./tlstest.py client localhost:4443 .
then i get an error log like this. could you please help me to solve this problem.
Traceback (most recent call last):
File "./tlstest.py", line 981, in
clientTestCmd(sys.argv[2:])
File "./tlstest.py", line 478, in clientTestCmd
connection.handshakeClientCert()
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 308, in handshakeClientCert
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 324, in _handshakeClientAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 1777, in _handshakeWrapperAsync
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 418, in _handshakeClientAsyncHelper
for result in self._clientGetServerHello(settings, clientHello):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 559, in _clientGetServerHello
HandshakeType.server_hello):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsrecordlayer.py", line 722, in _getMsg
raise TLSRemoteAlert(alert)
tlslite.errors.TLSRemoteAlert: handshake_failure
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.